Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update docker images to reduce security vulnerabilities #211

Merged
merged 18 commits into from
Feb 4, 2025
Merged

Update docker images to reduce security vulnerabilities #211

merged 18 commits into from
Feb 4, 2025

Conversation

adthrasher
Copy link
Member

@adthrasher adthrasher commented Jan 31, 2025
edited
Loading

This resolves 960 security vulnerabilities. Mainly by switching compatible images to an alpine base image. Other improvements include updating base OS versions and updating packages. There are 25 remaining security vulnerabilities, all of which are Low/Medium by Snyk (level documentation). All of the remaining vulnerabilities are in the util image (which uses Ubuntu 24.04). We do an apt-get upgrade in the image and I've skimmed most of the remaining vulnerabilities and they have no fixed version in 24.04. So the only "fix" would be to change to a different image that does not have those vulnerabilities.

One important thing to note, the Python alpine-based images (python:3.13.1-alpine) are all using the 3.21 release from 12/05/2024. So it's unlikely that it has no vulnerabilities, but rather that those have not been discovered and reported. Here is the list from the prior 3.20 release. The R image (ghcr.io/r-hub/r-minimal/r-minimal:4.4.2) uses the older 3.19 release with slightly more vulnerabilities.

Before submitting this PR, please make sure:

  • You have added a few sentences describing the PR here.
  • You have added yourself or the appropriate individual as the assignee.
  • You have added at least one relevant code reviewer to the PR.
  • The code passes all CI tests without any errors or warnings.
  • You have added tests (when appropriate).
  • You have added an entry in any relevant CHANGELOGs (when appropriate).
  • If you have made any changes to the scripts/ or docker/ directories, please ensure any image versions have been incremented accordingly!
  • You have updated the README or other documentation to account for these changes (when appropriate).

@adthrasher adthrasher self-assigned this Jan 31, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 31, 2025
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Snyk Container found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 31, 2025
View reviewed changes
docker/estimate/Dockerfile Fixed Show fixed Hide fixed
docker/estimate/Dockerfile Fixed Show fixed Hide fixed
docker/estimate/Dockerfile Fixed Show fixed Hide fixed
docker/estimate/Dockerfile Fixed Show fixed Hide fixed
@adthrasher
Copy link
Member Author

Tagging @mcrusch and @claymcleod so they're aware. Specifically, since Mike and I discussed security vulnerabilities last week.

@adthrasher
Copy link
Member Author

Also tagging @kevin-benton as his team has significantly more experience with security vulnerability scanning.

@adthrasher adthrasher marked this pull request as ready for review February 3, 2025 16:24
claymcleod
claymcleod previously approved these changes Feb 3, 2025
View reviewed changes
Copy link
Member

@claymcleod claymcleod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me.

@adthrasher adthrasher mentioned this pull request Feb 4, 2025
Closed
8 tasks
@adthrasher adthrasher requested a review from a-frantz February 4, 2025 19:10
a-frantz
a-frantz previously approved these changes Feb 4, 2025
View reviewed changes
Copy link
Member

@a-frantz a-frantz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving even though when you switch the container values back to main my review will be dismissed

workflows/methylation/methylation-cohort.wdl Show resolved Hide resolved
workflows/methylation/methylation-cohort.wdl Show resolved Hide resolved
@adthrasher adthrasher merged commit 3ff44f4 into main Feb 4, 2025
20 of 43 checks passed
@adthrasher adthrasher deleted the update_images branch February 4, 2025 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a-frantz a-frantz a-frantz approved these changes

@claymcleod claymcleod claymcleod left review comments

Assignees

@adthrasher adthrasher

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adthrasher @claymcleod @a-frantz